I have indexed a dataset that contains a collection of customer names, their purchases, their addresses, and other various bits of information that you might expect to see in a CRM database for a web store. I've also created a data model, a variety of objects within that data model, and I've assigned "auto-extracted" attributes to each of those objects. (This feature is awesome, BTW!)
When I create a pivot, I've discovered that I can't figure out how to filter the pivot on more than one value of a particular attribute. For example, I'd like to be able to filter my pivot down to customers that reside in North Dakota, Hawaii, and Washington DC. Is it possible to create a pivot filter (without creating eval fields or using other GUI acrobatics outside the pivot interface itself) that will filter results for multiple values of a field (e.g. ND, HI, and/or DC)? When I configure multiple filters, they appear to be logically ANDed together. The result is that no entries are returned. What I'm looking for is the ability to logically OR those filters together.
Thanks!
Have you tried setting up an object that uses a constraint search to ensure that it only includes events where customer = ND OR HI OR DC? As long as the customer field exists as an auto-extracted attribute in the data this should be doable. Then you could just build a pivot based on that object.
Learn to use tstats to access the backend gets you OR filtering with tokens against accelerated data.
Have you tried setting up an object that uses a constraint search to ensure that it only includes events where customer = ND OR HI OR DC? As long as the customer field exists as an auto-extracted attribute in the data this should be doable. Then you could just build a pivot based on that object.
Would have liked to use this also.
This is to implement a dashboard with :
- search built with underlying pivot search
- input forms
being able for the user to give several values as filter like he would do if he was using the search bar (many choices, the user can type)
Will try to work around by adding a subfilter afterwards but that's less efficient and transparent.
I know this thread is old but since I just had the same question I wanted to post my work around. Basically I added the filter on the base search. I know it may not be practical for all users but it worked for my use case.
I noticed that they have added options to pivot table filters. One that may fit here is "is in the list" which matches to a comma separated list. You can also use contains.
The option I ended up going with in many cases is learning | tstats syntax then you can do OR. Inspect a filtered pivot search and look for tstats... then probably change prestats to false, rename node.* as *, and you are off.
I documented it at the note in the "Configure a filter element" subtopic: http://docs.splunk.com/Documentation/Splunk/latest/Pivot/UsingthePivotvisualizationeditor#Configure_...
@ mattness: Where in the documentation did you add that?
I'm searching how to use filters with OR, for being able to use checkboxes to drive my dashboard panel (pivot searches)
Unfortunately Pivot is currently limited by an inability to set up OR operations with its filters. I'll update the Pivot docs to make this clear.
Argh! Please fix this!
You sir. Get an upbeat! PLEASE FIX THIS!!
Yes, I could do that, but that would only work for that one permutation of customer locations. It doesn't scale to any degree, unless I'm misinterpreting your response.